From 9bd6f13677e87119d33202a48f99bd0bd50c7e0f Mon Sep 17 00:00:00 2001
From: melaniekung <71947221+melaniekung@users.noreply.github.com>
Date: Tue, 7 Nov 2023 11:26:43 -0800
Subject: [PATCH] Add validation for static page slugs. (#1703) (#1705)

---
 apps/qubit/modules/staticpage/templates/editSuccess.php       | 4 ++--
 lib/helper/QubitHelper.php                                    | 4 ++++
 .../modules/staticpage/templates/editSuccess.php              | 4 ++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/apps/qubit/modules/staticpage/templates/editSuccess.php b/apps/qubit/modules/staticpage/templates/editSuccess.php
index 6a6126939a..2cf381d534 100644
--- a/apps/qubit/modules/staticpage/templates/editSuccess.php
+++ b/apps/qubit/modules/staticpage/templates/editSuccess.php
@@ -28,9 +28,9 @@
         <?php echo render_field($form->title, $resource); ?>
 
         <?php if ($resource->isProtected()) { ?>
-          <?php echo $form->slug->renderRow(['class' => 'readOnly', 'disabled' => 'disabled']); ?>
+          <?php echo $form->slug->renderRow([['class' => 'readOnly'], 'disabled' => 'disabled']); ?>
         <?php } else { ?>
-          <?php echo $form->slug->renderRow(); ?>
+          <?php echo $form->slug->renderRow(['pattern' => '^[a-zA-Z][a-zA-Z0-9\-_]*$']); ?>
         <?php } ?>
 
         <?php echo render_field($form->content, $resource, ['class' => 'resizable']); ?>
diff --git a/lib/helper/QubitHelper.php b/lib/helper/QubitHelper.php
index db0d1817dd..bf4ed6b123 100644
--- a/lib/helper/QubitHelper.php
+++ b/lib/helper/QubitHelper.php
@@ -37,6 +37,10 @@ function render_field($field, $resource = null, array $options = [])
     $div = null;
     $culture = sfContext::getInstance()->user->getCulture();
 
+    if (isset($options['pattern'])) {
+        $options['pattern'] = '^[a-zA-Z][a-zA-Z0-9\-_]*$';
+    }
+
     $resourceRaw = sfOutputEscaper::unescape($resource);
     if (isset($resourceRaw) && $culture != $resourceRaw->sourceCulture) {
         if ($resourceRaw instanceof QubitSetting) {
diff --git a/plugins/arDominionB5Plugin/modules/staticpage/templates/editSuccess.php b/plugins/arDominionB5Plugin/modules/staticpage/templates/editSuccess.php
index faf101fafb..dd300753c0 100644
--- a/plugins/arDominionB5Plugin/modules/staticpage/templates/editSuccess.php
+++ b/plugins/arDominionB5Plugin/modules/staticpage/templates/editSuccess.php
@@ -35,9 +35,9 @@
             <?php echo render_field($form->title, $resource); ?>
 
             <?php if ($resource->isProtected()) { ?>
-              <?php echo render_field($form->slug, null, ['disabled' => 'disabled']); ?>
+              <?php echo render_field($form->slug, null, ['disabled' => 'disabled', 'type' => 'url']); ?>
             <?php } else { ?>
-              <?php echo render_field($form->slug); ?>
+              <?php echo render_field($form->slug, null, ['pattern' => '^[a-zA-Z0-9\-_]+$']); ?>
             <?php } ?>
 
             <?php echo render_field($form->content, $resource); ?>